b'    U.S. DEPARTMENT OF COMMERCE\n              Office of Inspector General\n\xc2\xa0\n\n\xc2\xa0\n\n\n               Office of the Secretary\n                                                      \xc2\xa0\n                                                      \xc2\xa0\n                                                      \xc2\xa0\n                         Commerce Should\n              Take Steps to Strengthen\n              Its IT Security Workforce\n                 \xc2\xa0\n              Final Audit Report No. CAR-19569-1\n                                   September 2009\n\xc2\xa0\n\n\xc2\xa0\n\n\n                 FOR\xc2\xa0PUBLIC\xc2\xa0RELEASE\xc2\xa0\n                                                      \xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0\n\n                     Office of Audit and Evaluation\n\x0c                                                     UNITED STATES DEPARTMENT OF COMMERCE\n                                                     Office of Inspector General\n                                                     Washington. D.C. 20230\n\n\n\n\nSEPTEMBER 30, 2009\n\nMEMORANDUM FOR:              Dennis F. Hightower\n                             Deputy Secretary of Commerce\n\n\n\nFROM:                           Brett . Bak r\n                        \'---"\'\'l.\n                             Assistant Inspector General for Audit\n\nSUBJECT:                     Commerce Should Take Steps to\n                             Strengthen Its IT Security Workforce\n\n                              Final Audit Report No. CAR-19569-1\n\n\n\nThis memorandum transmits our final report on our audit of IT security workforce at the\nDepartment of Commerce. The purpose of the audit was to assess the Department\'s efforts\nto develop and maintain an effective IT security workforce to protect its IT systems.\n\nIn short, we found that the Department has not devoted sufficient attention to ensuring an\nadequate IT security workforce; performance management of the IT security workforce\nneeds to be improved; and the IT security workforce lacks appropriate security clearances.\nWe recommended actions the Department should take to address these deficiencies.\n\n Your September 30,2009, response to our draft report concurs with our audit findings and\ncommits to addressing our recommendations immediately. We summarize the response in\nour audit report and have included it in its entirety as appendix D. We are pleased to note\nthat the Department has already initiated steps to improve its IT security workforce.\n\nIn accordance with Department Administrative Order 213-5, please provide us with an\naudit action plan within 60 days of the date of this memorandum. Please accept our thanks\nto the Department and its operating units for the courtesies shown to us during our\nfieldwork. If you have any questions, please contact me at (202) 482-2600 or Chris Rose at\n(202) 482-5558.\n\n\n\ncc.:    John F. Charles, deputy assistant secretary for administration\n        Suzanne Hilding, chief information officer\n\x0c                               Report In Brief\n                                    U.S. Department of Commerce Office of Inspector General\n                                                        September 2009\n\n\n\n Why We Did This Review Department of Commerce IT Security Workforce\nWith the threat of cyber\nattacks looming over gov-     Commerce Should Take Steps to Strengthen Its\nernment and private-sector Information Technology Security Workforce\ncomputer networks, the\nDepartment of Commerce\nhas become increasingly       What We Found\nconcerned about the safety\nof its sensitive information. In our audit, we discovered that the Department needs to devote more attention to\n                              the development and guidance of its IT security personnel who protect the Depart-\nThe Office of Inspector       ment\xe2\x80\x99s sensitive computer systems and information.\nGeneral (OIG) initiated this\naudit to address the Depart-       \xe2\x80\xa2 Few of the operating units we reviewed were taking the necessary steps to\nment\xe2\x80\x99s need for an informa-           meet training requirements or keep accurate training records. Moreover,\ntion technology (IT) security         professional development plans were not generally used.\nworkforce with the skills to\nprotect Commerce\xe2\x80\x99s IT sys-         \xe2\x80\xa2 On the whole, performance management and accountability need to\ntems against cyber attacks.           improve. We found several instances in which IT security responsibilities\n                                    were not included in employees\xe2\x80\x99 formal performance plans. Also, personnel\nOIG assessed the Depart-            with significant security roles were not always formally notified of their\nment\xe2\x80\x99s efforts to develop           duties.\nand maintain an effective IT\nsecurity workforce because       \xe2\x80\xa2 Finally, we found that some IT security personnel in the operating units\nwe have long identified in-        we audited did not have the level of security clearance Department policy\nformation security as a top        requires. The IT security workforce on the front line of protecting\nchallenge for management.          the Department\xe2\x80\x99s assets should have levels of clearance commensurate\n                                   with their responsibilities.\n\n Background\nOur audit focused on the IT What We Recommend\nsecurity personnel at nine\nCommerce operating units.\n                               To develop and maintain an effective IT security workforce, we recommend Com-\nWe scrutinized the IT secu- merce implement a Department-wide plan that will address the deficiencies identi-\nrity employees\xe2\x80\x99 specialized fied in this audit. We advise Commerce to make necessary revisions to its current IT\ntraining, certification, secu- security policy to support the plan. The plan should include actions to\nrity clearances, and profes-\nsional development efforts.      \xe2\x80\xa2 enhance the professional development of personnel with significant IT\n                                   security responsibilities, including developing and implementing a\nOur sample consisted of ll         requirement for IT security certifications;\ninformation systems at the\noperating units. We chose        \xe2\x80\xa2 identify essential training, ensure workforce members receive appropriate\nsystems that we believed           role-based and security awareness training, and track the training that has\nthe Department and op-             been taken;\nerating units would place\nparticular emphasis on           \xe2\x80\xa2 formally document the roles and duties of employees having significant IT\nstaffing with experienced          security responsibilities and include IT security as a critical element in\nand trained professionals.         their performance plans; and\n\n                                 \xe2\x80\xa2 provide appropriate security clearances for IT security personnel.\n\x0cU.S. Department of Commerce                                                                         Final Report CAR-19569-1\nOffice of Inspector General                                                                                   September 2009\n\n\n\n                                                         Contents\n\n\nIntroduction ................................................................................................................... 1\nFindings and Recommendations ................................................................................... 5\n   I. The Department Has Not Devoted Sufficient Attention to Ensuring An\n   Adequate IT Security Workforce................................................................................ 5\n      A. Professional IT Security Certifications Are Not Required and Are Not\n      Consistently Held .................................................................................................... 5\n      B. Few Operating Units Have Identified Role-Based Training Requirements .. 6\n      C. Many in the IT Security Workforce Do Not Regularly Receive Role-based\n      Training ................................................................................................................... 7\n      D. IT Training Is Not Tracked Consistently ........................................................ 7\n      E. The Effectiveness of IT Security Training Is Not Evaluated.......................... 8\n      F. Professional Development Plans Are Not Generally Used ............................. 8\n   II. Performance Management of the IT Security Workforce Needs to Be\n   Improved ..................................................................................................................... 9\n      A. Employees with Significant IT Security Responsibilities Are Not Formally\n      Notified of their Roles on a Consistent Basis......................................................... 9\n      B. Performance Plans Do Not Always Contain IT Security Performance\n      Elements ................................................................................................................ 10\n   III.     The IT Security Workforce Lacks Appropriate Security Clearances ........... 10\nConclusion .................................................................................................................... 12\n   Recommendations..................................................................................................... 13\n   Other Matters ........................................................................................................... 13\nAppendix A: Objectives, Scope, and Methodology ...................................................... 15\nAppendix B: Significant Information System Security Roles and Responsibilities .. 17\nAppendix C: IT Security Employees Who Received Role-based Training in FY 2007\nand FY 2008 ................................................................................................................. 19\nAppendix D: Full Text of Agency Response ................................................................ 20\n\x0cU.S. Department of Commerce                                                   Final Report CAR-19569-1\nOffice of Inspector General                                                             September 2009\n\n\n                                                               Introduction\nWhen government computer networks come under cyber attack, whether by foreign\ngovernments, hackers, identity thieves, or terrorists, the consequences can be\ncatastrophic. In response, the Department of Commerce and our nation as a whole\nhave become increasingly concerned about protecting information technology (IT)\nsystems and data.\n\nThis audit was prompted by the Department\xe2\x80\x99s need for a more skilled workforce\nwith the experience necessary to protect its IT systems and information and the\nchallenges it faces in achieving this goal. The Department uses more than 300 IT\nsystems to meet its mission of creating economic growth and opportunity by\npromoting innovation, entrepreneurship, competitiveness, and stewardship.\n\nOMB Circular A-130, Management of Federal Information Resources, directs federal\nagencies to protect government information commensurate with the risk and\nmagnitude of harm resulting from the loss, misuse, or unauthorized access to or\nmodification of information. Consistent with Federal Information Processing\nStandards Publication 199, Standards for Security Categorization of Federal\nInformation and Information Systems, 32 of the Department\xe2\x80\x99s systems are\nconsidered high impact, because a security breach can be expected to have a severe\nor catastrophic impact on organizational operations, assets, or individuals. The\nDepartment\xe2\x80\x99s other systems are categorized as moderate impact if the potential\nadverse impact is serious and low impact if the potential adverse impact is limited.\n\nOur audit focused on the workforce associated with the most sensitive unclassified\nsystems in the Department, because these systems are highly critical to protect and\nshould have the best trained and qualified workforce. We reviewed the IT security\nworkforce responsible for 11 systems at nine Commerce operating units.1 Not all\noperating units have high-impact systems, so in those cases we selected moderate-\nimpact systems to get a broader sample of operating units.\n\nWe reviewed workforce in the following operating units:\n\n       \xe2\x80\xa2      Bureau of Industry and Security (BIS)\n       \xe2\x80\xa2      U.S. Census Bureau\n       \xe2\x80\xa2      International Trade Administration (ITA)\n       \xe2\x80\xa2      The National Oceanic and Atmospheric Administration\xe2\x80\x99s (NOAA) National\n              Environmental Satellite Data and Information Service (NESDIS)\n       \xe2\x80\xa2      National Institute of Standards and Technology (NIST)\n       \xe2\x80\xa2      National Telecommunications and Information Administration (NTIA)\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n    Eight of the systems we reviewed were high impact; three were moderate impact.\n\n\n                                                                    1\xc2\xa0\n\x0cU.S. Department of Commerce                                           Final Report CAR-19569-1\nOffice of Inspector General                                                     September 2009\n\n\n       \xe2\x80\xa2      NOAA\xe2\x80\x99s National Weather Service (NWS)\n       \xe2\x80\xa2      Office of the Secretary\n       \xe2\x80\xa2      U.S. Patent and Trademark Office (USPTO)\n\nAs a result of our discussions with senior officials during the course of the audit, the\nDepartment has begun to take steps to address many of our findings. We detail the\nobjectives, scope, and methodology of our audit in appendix A.\n\nIT Security Workforce at the Department\n\nThe Department defines the roles and responsibilities of IT security positions in the\nDepartment of Commerce 2009 Information Technology Security Program Policy. IT\nsecurity is a Department-wide responsibility; it is not solely the duty of the\nDepartment and operating unit chief information officers (CIOs) and their staffs.\nCommerce senior officials are responsible for the day-to-day management and\ngeneral supervision of the security of information and technology associated with\ntheir programs and operating units. System owners are accountable for the security\nof the systems over which they have day-to-day management and operational\ncontrol, including selecting appropriate security controls and ensuring that system\nusers and support personnel have the appropriate security training.\n\nDepartment and operating unit CIOs are charged with ensuring compliance with IT\nsecurity requirements, developing and maintaining a bureau-wide information\nsecurity program, ensuring the training of personnel with significant IT security\nresponsibilities, and assisting senior agency program officials in carrying out their\nIT security responsibilities. To that end, CIOs are tasked with designating a senior\ninformation technology security officer (ITSO) to carry out the CIO\xe2\x80\x99s IT security\ninstructions. In addition, each system has an information system security officer\n(ISSO) who works under the supervision of the system owner. The ISSO advises on\nthe security considerations associated with the system and implements appropriate\nsecurity controls. The Department was unable to provide a complete listing of\nofficials with significant IT security responsibilities, but it was able to identify more\nthan 600 such officials.\n\nThe roles defined by Commerce\xe2\x80\x99s IT security policy as having significant IT security\nresponsibilities are in appendix B.\n\nStrengthening the IT Security Workforce Is a Government-wide Challenge\n\nOIG has identified information security as a management challenge for the\nDepartment since 2000. In our November 2008 top management challenges report,2\nwe stated that the Department faces complex problems when putting proper\ninformation security controls in place. We noted that despite additional\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n2U.S. Department of Commerce, Office of Inspector General, November 2008. Top Management\nChallenges Facing the Department of Commerce, OIG-19384. Washington, D.C., p. 6.\n\n\n                                                               2\xc2\xa0\n\x0cU.S. Department of Commerce                                                 Final Report CAR-19569-1\nOffice of Inspector General                                                           September 2009\n\n\nexpenditures to mitigate the problem, the Department has reported information\nsecurity as a material weakness every year since FY 2001. A material weakness is a\ncontrol deficiency or combination of deficiencies that in management\xe2\x80\x99s judgment\nshould be reported outside the agency. These deficiencies represent significant\nweaknesses in the design or operation of internal control and could adversely affect\nthe organization\xe2\x80\x99s ability to meet its internal control objectives.3\nCyber threats are a moving target, increasing in number and sophistication almost\ndaily. This makes system security especially difficult. Our management challenges\nreport observed that in order to be effective in this changing environment, the\nDepartment\xe2\x80\x99s IT security program must be staffed by professionals who have the\nappropriate skills and experience to implement required security controls, have the\nability to assess the staff\xe2\x80\x99s effectiveness, and are able to anticipate and respond to\nemerging threats.\nThe need to strengthen the IT security workforce is a challenge for the entire\nfederal government, not just the Department. Although the Department can take\nsignificant steps to improve its IT security workforce on its own, it is, like all federal\nagencies, hampered by an antiquated personnel system that impedes the hiring of\nthe best qualified workforce. The Partnership for Public Service and Booz Allen\nHamilton reinforce this point in their report on the federal cybersecurity workforce,\nstating, \xe2\x80\x9c[O]ne of the biggest problems with the process for hiring cybersecurity\ntalent is the government\xe2\x80\x99s job classification system.\xe2\x80\x9d4\nAt the same time, the 2008 (ISC)\xc2\xb2 Global Information Security Workforce Study, a\nsurvey of the public- and private-sector workforce worldwide, states that current\nthreats necessitate that \xe2\x80\x9cinformation security professionals must have the\nknowledge, skills and ability to properly address these challenges.\xe2\x80\x9d5 The study\nshows the levels of education for the cybersecurity workforce increasing\xe2\x80\x94with over\n90 percent in the Americas holding a bachelor\xe2\x80\x99s degree or higher.6 Yet the only\nfederal job classification specifically targeted toward IT security does not require a\ncollege degree.\n\nDuring the past several years, several federal programs have been implemented to\nattract and retain highly-skilled, cyber-savvy individuals by sponsoring\nscholarships for students to pursue graduate or undergraduate degrees in the\ncybersecurity field. In return, scholarship recipients serve in the federal IT security\nworkforce for a period of time. These programs include the Federal Cyber Service:\nScholarship for Service, administered by the National Science Foundation in\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n  Revisions to OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, pp. 18-19.\n4 Partnership for Public Service and Booz Allen Hamilton, July 2009. Cyber In-Security:\nStrengthening the Federal Cybersecurity Workforce, p. 9.\n5 A Frost & Sullivan White Paper Sponsored by the International Information Systems Security\n\nCertification Consortium, Inc. (ISC)\xc2\xb2, The 2008 (ISC)\xc2\xb2 Global Information Security Workforce Study,\np. 5.\n6 (ISC) 2 Global Information Security Workforce Study, pp. 11-12.\n\n\n\n\n                                                               3\xc2\xa0\n\x0cU.S. Department of Commerce                                                   Final Report CAR-19569-1\nOffice of Inspector General                                                             September 2009\n\n\npartnership with the Department of Homeland Security and the Information\nAssurance Scholarship Program at Department of Defense (DoD).\n\nIn April 2009, Senators John D. Rockefeller (D-W.Va.), Olympia J. Snowe\n(R-Maine), Evan Bayh (D-Ind.), and Bill Nelson (D-Fla.) introduced draft legislation\n(Cybersecurity Act of 2009) requiring, among other things, all providers of\ncybersecurity services to federal agencies to be certified.7 Although this legislation\nis still in committee, Congress\xe2\x80\x99s interest reflects a push to further professionalize\nthe IT security workforce. Similar to the programs mentioned, the bill provides for\nscholarships for students to pursue graduate or undergraduate degrees in the\ncybersecurity field in return for federal IT security service.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n7   S.773, Senate Cybersecurity Act of 2009, April 2009. Sections 7 and 10.\n\n\n                                                               4\xc2\xa0\n\x0cU.S. Department of Commerce                                                       Final Report CAR-19569-1\nOffice of Inspector General                                                                 September 2009\n\n\n                                                   Findings and Recommendations\n\n\n\nI.       The Department Has Not Devoted Sufficient Attention to Ensuring An\n         Adequate IT Security Workforce\n\nThe Department has not devoted sufficient management attention and resources to\nensuring it has an adequately skilled IT security workforce. We found deficiencies\nin\n\n       \xe2\x80\xa2      the identification of training requirements,\n\n       \xe2\x80\xa2      adequacy and timeliness of training received,\n\n       \xe2\x80\xa2      evaluation of training effectiveness, and\n\n       \xe2\x80\xa2      structured professional development of individual workforce members.\n\nIn many cases, the Department and its operating units have not complied with the\nDepartment\xe2\x80\x99s own IT security policies and procedures. Also, we found that IT\nsecurity certifications are not required and are not consistently held by staff\nmembers. As a result of these factors, Commerce is at risk of not being satisfactorily\nprepared to protect its IT assets and information.\n\n       A. Professional IT Security Certifications Are Not Required and Are Not\n          Consistently Held\n\nOf the Department\xe2\x80\x99s IT security personnel, ITSOs and ISSOs have the most\ntechnically challenging responsibilities. However, about half of the ITSOs and\nISSOs we covered in our review do not possess professional certifications. For the\nnine operating units we reviewed, only four ITSOs possessed relevant IT security\ncertifications; for the 11 systems we reviewed, six ISSOs held relevant\ncertifications. Section 4.2.2 of the Department\xe2\x80\x99s Information Technology Security\nProgram Policy states that the \xe2\x80\x9cuse of professional certification is at the discretion\nof each operating unit.\xe2\x80\x9d Therefore, IT security certifications are not required by the\nDepartment.\n\nCertifications demonstrate that an individual has \xe2\x80\x9csought out the knowledge, skills,\nand abilities to defend an organization against possible breaches and build up\ndefenses.\xe2\x80\x9d8 Moreover, certification requirements encourage personnel to strive to\ndevelop beyond their present levels of experience and maintain currency in their\nfields. Certifications thereby promote professional development and enhance\nemployees\xe2\x80\x99 effectiveness in performing their roles within the organization.\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n8   (ISC)\xc2\xb2 Global Information Security Workforce, p. 14.\n\n\n                                                                5\xc2\xa0\n\x0cU.S. Department of Commerce                                             Final Report CAR-19569-1\nOffice of Inspector General                                                       September 2009\n\n\nIn 2004, DoD issued a directive establishing a requirement for the credentialing and\ncontinuing education of personnel. DoD requires IT security professionals,\nregardless of occupational series, to obtain a commercial information security\ncredential from a list of approved certifications. They must also maintain their\nprofessional certification through annual continuing professional education. This\nrequirement applies to all applicable civilian, military, and contract employees. DoD\nestablished an aggressive timetable for full compliance by 2011. The DoD CIO office\ninformed us that while Defense is making progress, it may not meet its target of\n70 percent of its IT security work force\xe2\x80\x94approximately 68,000 professionals\xe2\x80\x94\ncertified by the end of 2009.\n\nIn March 2009, the Government Accountability Office (GAO) testified that\ncybersecurity should be made a profession through testing and licensing. 9 The draft\nCybersecurity Act of 2009 proposes to assign the development of a certification\nprogram to the Department of Commerce.\n\nThe Cyber In-Security report recommends that for cybersecurity professionals\nagencies \xe2\x80\x9cinclude a career path with opportunities to earn appropriate\ncertifications.\xe2\x80\x9d10 We encourage the Department to take a leadership role in the\nfederal CIO community to work with the Office of Personnel Management to\nestablish more rigorous requirements for IT security professionals, including\nrelevant educational requirements for entry-level positions and professional\ncertification for advancement.\n\nThe Department does not have to wait for legislation to implement its own\ncertification requirements. The Department\xe2\x80\x99s CIO, in consultation with the CIO\nCouncil, should develop certification requirements for Commerce\xe2\x80\x99s IT security\nprofessionals using DoD\xe2\x80\x99s program as a springboard. It should revise its IT security\npolicy to, at a minimum, require certification for ITSOs, who have lead security\nresponsibilities within the operating units, and ISSOs, who are on the front line\nprotecting the Department\xe2\x80\x99s IT assets and information.\n\n       B. Few Operating Units Have Identified Role-Based Training\n          Requirements\n\nThe Department\xe2\x80\x99s Information Technology Security Program Policy (Section 4.2.2)\nspecifies that operating units must ensure significant information security roles\n(e.g., ITSOs, ISSOs, CIOs, authorizing officials) receive specialized training within\nthe first 60 days from role appointment notification, and that refresher training\nmust take place annually.\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n9 GAO, March 2009. National Cybersecurity Strategy: Key Improvements Are Needed to Strengthen\nthe Nation\xe2\x80\x99s Posture, GAO-09-432T.\n10 Cyber In-Security, p. 18.\n\n\n\n\n                                                               6\xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report CAR-19569-1\nOffice of Inspector General                                                September 2009\n\n\nWe found that, of the nine operating units we reviewed, only the Census Bureau\nhas specific requirements for the number of training hours and types of training\nneeded, and NIST is working on requirements. Most operating units provided no\ninformation on the necessary initial training courses or annual refresher training.\nWithout specified training requirements, operating units cannot assure appropriate,\nsufficient, or timely training. The Department should define a minimum set of\ntraining requirements, to be supplemented by the operating units to address their\nparticular security concerns.\n\n   C. Many in the IT Security Workforce Do Not Regularly Receive Role-\n      based Training\n\nIn our audit, we found that IT security professionals at four operating units had not\nreceived training for at least one year. Also, of the personnel we interviewed in the\nnine operating units covered in our audit, 35 percent (19 of 55) did not receive role-\nbased training in FY 2007 or FY 2008.\n\nThe results of our FY 2007 and FY 2008 Federal Information Security Management\nAct (FISMA) review of role-based training further demonstrate the need for\nimprovement (see appendix C). Lack of role-based training for IT security\nprofessionals goes beyond the operating units and systems included in our audit\nsample. Since training and education are the key factors in the competencies of IT\nsecurity employees, it is a serious concern that so many do not receive regular role-\nbased training.\n\n   D. IT Training Is Not Tracked Consistently\n\nHuman Resource Bulletin #076 on training policy requires each bureau to maintain\nand report accurate training data. In addition, it requires that as of December 10,\n2007, Department of Commerce employees must use the Commerce Learning\nCenter (CLC), a Web-based training resource, to initiate, approve, and record\ncompleted training. The CLC can identify classes that personnel are enrolled in,\ntrack assignments that have been submitted for instructor approval, and record\ncourses and assignments staff members have completed.\n\nSection 4.2.3 of the Department\xe2\x80\x99s Information Technology Security Program Policy\n\xe2\x80\x9crequires operating units to document and monitor individual information system\nsecurity training activities including basic security awareness training and specific\ninformation system security training.\xe2\x80\x9d The policy further states that \xe2\x80\x9cthe [CLC]\nrecords documentation shall include the incumbent\xe2\x80\x99s name, role, type of training\nreceived, and the date when training was accomplished or date professional\ncertification was verified.\xe2\x80\x9d However, our audit found that CLC was not being used\nto track role-based training. Specifically, we found that:\n\n\n\n\n                                          7\xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report CAR-19569-1\nOffice of Inspector General                                                September 2009\n\n\n   1) six operating units use a database or Excel spreadsheet to track role-based\n      training, and\n\n   2) three operating units have their employees track role-based training\n      themselves.\n\nWe also identified concerns with the tracking of annual IT security awareness\ntraining for some Department employees. The CLC database did not have records\nshowing completion of IT security awareness training for FY 2008 for almost\n18 percent of our sample (out of 26 employees and 2 contractors, 5 did not have\nrecords in the CLC).\n\nOperating units that leave the responsibility of tracking role-based training to their\nemployees cannot ensure that the training records are accurate, timely, and\nconsistent with the employee and organizational needs. A centralized system that\nidentifies expected training, records completed training, and enables periodic review\nby management should be used to ensure the appropriate and timely training of IT\nsecurity professionals.\n\n   E. The Effectiveness of IT Security Training Is Not Evaluated\n\nOur audit found that training evaluation was not performed at the nine operating\nunits we reviewed. Consequently, not only are IT security professionals not\nreceiving training regularly, but Commerce management cannot determine how\neffective any training has been. Several operating units told us that obtaining\ntraining resources was difficult and that the quality of courses available from the\nCLC was inadequate, which raises the concern that IT security staff members are\nnot receiving the most helpful training and the Department is not making the best\nuse of its limited training budget.\n\nNIST Special Publication (SP) 800-16, Information Technology Security Training\nRequirements: A Role- and Performance-Based Model, which provides guidelines for\nIT security training, states that course evaluation should be a component of an\norganization\xe2\x80\x99s IT security program. Evaluating courses measures the quality of the\ntraining programs being offered and ensures limited budget funds are not put\ntoward ineffective training. If training content is incorrect, outdated, or\ninappropriate, the training will not meet the needs of the employees or the\nDepartment.\n\n   F. Professional Development Plans Are Not Generally Used\n\nA development plan is a personal action plan that has been agreed to by the\nemployee and supervisor. It identifies short- and long-term career goals, the\ntraining and other development experiences (such as completing relevant\nassignments or studying materials) needed to achieve those goals, and the time\nframe in which the plan is to be accomplished. Specifically, development plans\n\n\n\n                                          8\xc2\xa0\n\x0cU.S. Department of Commerce                                       Final Report CAR-19569-1\nOffice of Inspector General                                                 September 2009\n\n\n   \xe2\x80\xa2   identify and assess future developmental needs or competency areas,\n\n   \xe2\x80\xa2   identify structured learning experiences linked to an organization\xe2\x80\x99s goals and\n       objectives,\n\n   \xe2\x80\xa2   establish agreed-upon developmental activities for the employee\xe2\x80\x99s career\n       development,\n\n   \xe2\x80\xa2   promote formal career development, and\n\n   \xe2\x80\xa2   provide a means to fill employee and organizational competency gaps.\n\nIn addition, development plans can serve as a tool for collecting the cost information\nneeded to establish a strategy for developing and enhancing the skills and\nexperience of the Department\xe2\x80\x99s IT security workforce.\n\nOf the nine Department operating units we reviewed, only the Office of Secretary\nand the Census Bureau consistently used individual development plans to guide the\nprofessional development of their IT security employees and remediate competency\nlimitations or gaps. The other seven operating units infrequently used individual\ndevelopment plans. Officials at these seven units told us that plans for the\nemployees\xe2\x80\x99 professional development were not documented, but that supervisors\nand employees discussed training during performance appraisals.\n\n\n\nII.    Performance Management of the IT Security Workforce Needs to Be\n       Improved\n\nOur audit found that IT security personnel were not always notified of their\nresponsibilities in writing and that not all personnel with significant IT security\nroles had IT security as a critical element within their performance plans.\n\n   A. Employees with Significant IT Security Responsibilities Are Not\n      Formally Notified of their Roles on a Consistent Basis\n\nSection 4.2.2 of the Department\xe2\x80\x99s Information Technology Security Program Policy\nstates that for personnel with significant information security roles, role notification\nmust be made within the first 10 business days of appointment. Section 3.3.1 of the\npolicy directs operating unit CIOs to appoint in writing an ITSO to implement the\nbureau\xe2\x80\x99s IT security program. However, the Department\xe2\x80\x99s policy does not specify\nhow staff holding other IT security positions are to be notified of their roles and\nresponsibilities.\nOur audit found that ITSOs did not consistently receive formal written notification\nof their roles. We found no written notification for ITSOs at the Census Bureau,\nNESDIS, and NIST. We found a similar lack of written notification for ISSO\npositions for specific systems at NWS and USPTO, and the written notification of\n\n\n                                           9\xc2\xa0\n\x0cU.S. Department of Commerce                                           Final Report CAR-19569-1\nOffice of Inspector General                                                     September 2009\n\n\nthe ISSO position for a NESDIS system was updated during our audit. While the\nDepartment\xe2\x80\x99s IT security policy only requires written notification for ITSOs,\nformally communicating duties to all personnel having significant IT security\nresponsibilities would not only be an effective practice for ensuring they are aware\nof their responsibilities, but would also establish an audit trail of management\xe2\x80\x99s\ndelegation of accountability.\n\n       B. Performance Plans Do Not Always Contain IT Security Performance\n          Elements\n\nDepartment Administrative Order 202-430, Performance Management System,\nestablishes Commerce\xe2\x80\x99s performance management system for general schedule\nemployees. The order states, \xe2\x80\x9c[P]erformance plans are the documentation of\nperformance expectations communicated to employees by supervisors. Plans define\nthe critical elements and the performance standards by which an employee\xe2\x80\x99s\nperformance will be evaluated.\xe2\x80\x9d\n\nThe GAO states11 that \xe2\x80\x9cperformance evaluation and feedback \xe2\x80\xa6 should be designed\nto help understand the connection between employee performance and the\norganization\xe2\x80\x99s success.\xe2\x80\x9d\n\nAlthough Department employees were provided regular performance appraisals, we\nfound several instances in which IT security responsibilities were not included in\ntheir performance plans. With constantly evolving cyber security threats, protecting\nthe Department\xe2\x80\x99s IT assets and information is a critical part of all employees\nhaving significant IT security responsibilities. Therefore, performance expectations\nfor IT security should be included as a critical element in employees\xe2\x80\x99 performance\nplans and staff should be held accountable for their performance.\n\n\nIII.          The IT Security Workforce Lacks Appropriate Security Clearances\n\nSection 4.13.2 of the Department of Commerce Information Technology Security\nProgram Policy states that operating unit ITSOs are required to have a top\nsecret/sensitive compartmented information (TS/SCI) clearance, and a sufficient\nsubset of support staff is required to have a secret clearance.\n\nOur audit found that ITSOs did not always have the level of security clearance that\nthe Department\xe2\x80\x99s policy requires. Based on information provided by the Office of\nSecurity, we found that eight of nine ITSOs did not have TS/SCI clearances, and\nthree of nine ISSOs did not have secret clearances. Lack of appropriate clearances\nlimits the ability of these employees to obtain complete information on current\ncybersecurity threats and vulnerabilities and can reduce their effectiveness in\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n11GAO, November 1999. Standards for Internal Control in the Federal Government, GAO/AIMD-00-\n21.3.1.\n\n\n                                                               10\xc2\xa0\n\x0cU.S. Department of Commerce                                     Final Report CAR-19569-1\nOffice of Inspector General                                               September 2009\n\n\nprotecting the Department\xe2\x80\x99s IT assets and information. ISSOs, who are on the front\nline of protecting the Department\xe2\x80\x99s information assets, should have at least secret-\nlevel clearances.\n\n\n\n\n                                         11\xc2\xa0\n\x0cU.S. Department of Commerce                                       Final Report CAR-19569-1\nOffice of Inspector General                                                 September 2009\n\n\n                                    Conclusion\n\nThe Department has not been taking the necessary steps to develop and maintain\nan effective IT security workforce able to combat the cyber threats that continue to\nincrease in both number and complexity.\n\nOur audit found that Department management has not devoted sufficient attention\nand resources to identifying training requirements, ensuring adequacy and\ntimeliness of training, evaluating training effectiveness, and structuring\nprofessional development. We also found a lack of formal assignment of\naccountability for IT security and inconsistent efforts toward securing appropriate\nclearances for IT security personnel. Moreover, the Department and its operating\nunits have not complied with the Department\xe2\x80\x99s IT security policies and procedures.\nAs a result, Commerce is at risk of not being satisfactorily prepared to protect its IT\nassets and information.\n\nWe are particularly concerned with the weaknesses found among the IT security\nworkforce responsible for high-impact systems, because a security breach would\nhave a severe impact on these systems. The Department and several operating\nunits cite a lack of resources as a major impediment to providing adequate training\nfor IT security personnel. This makes it particularly important for the Department\nto establish risk-based training priorities and develop a plan for ensuring adequate\nIT security workforce training.\n\nInitial focus should be placed on strengthening the segment of the workforce\nresponsible for securing the systems that, if compromised, would pose the greatest\nthreat to the Department\xe2\x80\x99s ability to meet its mission, safeguard its assets, and\nprotect its information. This risk-based approach would start with training the\nworkforce responsible for high-impact systems and a prioritized set of moderate-\nimpact systems. However, even the workforce associated with low-impact systems\nneeds to be well qualified and trained because vulnerabilities in these systems can\nbe used to stage attacks on high- and moderate-impact systems on the same\nnetwork, including systems outside the Department of Commerce.\n\nIn its September 30, 2009, response to our draft report, the Department agreed with\nour audit findings and made a commitment to address our recommendations\nimmediately. The Department\xe2\x80\x99s Office of the Chief Information Officer is partnering\nwith the Office of Human Resources Management to develop an IT security\nworkforce improvement program.\n\n\n\n\n                                          12\xc2\xa0\n\x0cU.S. Department of Commerce                                       Final Report CAR-19569-1\nOffice of Inspector General                                                 September 2009\n\n\nRecommendations\n\nTo develop and maintain an effective IT security workforce, we recommend\nCommerce establish and implement a Department-wide plan that addresses the\ndeficiencies identified in this audit. The plan should include actions to:\n   1. enhance the professional development of personnel with significant IT\n      security responsibilities, including developing and implementing a\n      requirement for IT security certifications for, at a minimum, ITSOs and\n      ISSOs;\n\n   2. identify essential role-based training and security awareness training, ensure\n      workforce members receive appropriate training, and track the training that\n      has been taken;\n\n   3. ensure the individual professional development of members of the IT security\n      workforce;\n\n   4. formally document the roles and duties of employees having significant IT\n      security responsibilities, and include IT security as a critical element in their\n      performance plans;\n\n   5. provide security clearances commensurate with IT positions and\n      responsibilities;\n\n   6. identify the resources and time frame needed to implement the plan; and\n\n   7. make necessary revisions to the Department\xe2\x80\x99s IT security policy to support\n      the plan.\n\nOther Matters\n\nDeveloping and maintaining an effective IT security workforce is a government-\nwide issue. Therefore, we encourage the Department\xe2\x80\x99s CIO to take a leadership role\non the Federal CIO Council to work with the Office of Personnel Management to\nreassess the position requirements for the IT security workforce with the goals of\nbetter defining duties and responsibilities, establishing certification requirements,\nand professionalizing the workforce through appropriate educational requirements.\n\n\n\n\n                                          13\xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report CAR-19569-1\nOffice of Inspector General                                                September 2009\n\n\n             Summary of Agency Response and OIG Comments\nIn responding to the draft report, the Deputy Secretary of Commerce agreed with\nthe report findings, particularly those pertaining to professional development,\nperformance management, and security clearances. The Deputy Secretary also\nexpressed the Department\xe2\x80\x99s commitment to taking immediate action based on our\nrecommendations. The Department\xe2\x80\x99s Office of the Chief Information Officer is\npartnering with the Office of Human Resources Management to develop an IT\nsecurity workforce improvement program. We support this partnership.\n\nWhere appropriate, we modified this report to incorporate comments from other\nagencies. Based on NIST\xe2\x80\x99s remarks, we clarified our position that management and\nthe CIO share responsibility for ensuring IT security training. NIST also feels that\nwe should remove the recommendation that Commerce take a leadership role in the\nFederal CIO Council to address workforce issues, as the Department is currently\nrepresented at the Federal IT Workforce committee. We should note in response\nthat our suggestion was not a formal recommendation; however, if the Department\nshares any best practices or lessons learned as it corrects its own workforce issues,\nother agencies would benefit from our experiences.\n\nBEA cautioned that if a TS/SCI clearance becomes mandatory, the requirement\nmust be properly worded in vacancy announcements. Our report notes that TS/SCI\nclearance is already a requirement, but it is not being followed. We suggest the\nDepartment consider BEA\xe2\x80\x99s suggestion in its plans to address the recommendations\ncontained within the report. See appendix D for complete agency comments.\n\nWe are encouraged that steps have already been initiated to address our\nrecommendations, and we look forward to the Department\xe2\x80\x99s action plan that will\nprovide details on the corrective actions to be taken.\n\n\n\n\n                                         14\xc2\xa0\n\x0cU.S. Department of Commerce                                     Final Report CAR-19569-1\nOffice of Inspector General                                               September 2009\n\n\n              Appendix A: Objectives, Scope, and Methodology\nThe objective of our audit was to assess the Department\xe2\x80\x99s efforts in developing and\nmaintaining an effective IT security workforce to protect its systems and data. We\nself-initiated this audit in February 2009 because we recognized the continued\nthreats to the Department\xe2\x80\x99s computer networks, and we have long identified IT\nsecurity as a top management challenge.\n\nOur review focused on systems identified as high and moderate impact because\nsecurity breaches of those systems would have the greatest negative impact on the\nDepartment. We expected the Department and its operating units to place\nparticular emphasis on ensuring these systems were staffed with experienced and\ntrained professionals.\n\nSpecifically, we reviewed the training and professional development, accountability,\nand security clearances of IT security personnel responsible for eight high-impact\nsystems at operating units that had high-impact systems, and at three moderate-\nimpact systems for operating units that lacked high-impact systems. We performed\na non-statistical random sample of the Department\xe2\x80\x99s more than 300 systems, of\nwhich 32 are high-impact. We initially selected the operating units with high-\nimpact systems and, in cases in which they had more than one such system, we\nrandomly selected the system(s) to be reviewed. To broaden our coverage, we\njudgmentally selected three additional operating units. For each of these operating\nunits, we randomly selected a moderate-impact system to include in our review.\n\nWe obtained an understanding of internal controls through interviews with\n55 employees from the Department\xe2\x80\x99s Office of Chief Information Officer and officials\nat nine operating units (BIS, Census, ITA, NESDIS, NIST, NWS, NTIA, Office of\nthe Secretary, and USPTO). In addition, we collected and reviewed information on\nIT security personnel, including their job series, annual performance plans,\nprofessional development plans, receipt of IT security awareness or role-based\ntraining, and level of security clearance.\n\nWe held our entrance conference at the Department\xe2\x80\x99s CIO Council meeting in\nFebruary 2009 and briefed the Council again on the status and results of our audit\nwork on June 26, 2009. We also had several meetings with the Office of the Chief\nInformation Officer to keep it informed on the results of our work.\n\nTo assess the reliability of the data from the CLC, we selected a sample of\nemployees for 2008 and 2009. We found that the CLC database did not always have\naccurate information; therefore, we did not rely on the computer-processed data for\nthe purposes of our audit.\n\nWe reviewed the Department\xe2\x80\x99s compliance with applicable provisions of pertinent\nlaws and regulations, including:\n\n\n\n                                         15\xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report CAR-19569-1\nOffice of Inspector General                                                September 2009\n\n\n   \xe2\x80\xa2   Federal Information Security Management Act of 2002, 44 U.S.C. \xc2\xa7 3541 et\n       seq;\n\n   \xe2\x80\xa2    OMB Circular A-130, Management of Federal Information Resources;\n\n   \xe2\x80\xa2   FIPS Publication 199, Standards for Security Categorization of Federal\n       Information and Information Systems;\n\n   \xe2\x80\xa2   NIST SP 800-50, Building An Information Technology Security Awareness\n       and Training Program\n\n   \xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of\n       Federal Information Systems;\n\n   \xe2\x80\xa2   NIST SP 800-16, Information Technology Security Training Requirements: A\n       Role- and Performance-Based Model;\n\n   \xe2\x80\xa2   Department of Commerce Information Technology Security Program Policy\n       introduced by the CIO on March 9, 2009;\n\n   \xe2\x80\xa2   Department of Commerce Information Technology Security Program Policy\n       and Minimum Implementation Standards issued on June 30, 2005;\n\n   \xe2\x80\xa2   Department of Commerce Department Administrative Order 202-430,\n       Performance Management System; and\n\n   \xe2\x80\xa2   GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n       (GAO/AIMD-00-21.3.1).\n\nOur audit findings report on instances in which policies and procedures were not\nmet. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform\nthe audit to obtain sufficient, appropriate evidence that provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\nWe conducted our review from February 2009 through September 2009 under the\nauthority of the Inspector General Act of 1978 and Department Organization Order\n10-13. We performed our work at the Department of Commerce headquarters in\nWashington D.C.; NIST in Gaithersburg, Maryland; NWS in Silver Spring,\nMaryland; the Bureau of Census in Suitland, Maryland; and USPTO in Alexandria,\nVirginia.\n\n\n\n\n                                         16\xc2\xa0\n\x0cU.S. Department of Commerce                                              Final Report CAR-19569-1\nOffice of Inspector General                                                        September 2009\n\n\n    Appendix B: Significant Information System Security Roles and\n                           Responsibilities\n\n\n\nCommerce Position                                             Role\n\n\n                                Designates a senior information security officer; develops\n                                and maintains information security policies, procedures, and\nChief Information Officer\n                                control techniques; and trains and oversees personnel with\n                                significant information security responsibilities.\n\n\n                                Designates a senior information security officer; develops\nChief Information Security      and maintains information security policies, procedures, and\nOfficer                         control techniques; and trains and oversees personnel with\n                                significant information security responsibilities.\n\n\n\n                                Provides the overall management, leadership, and direction\nOperating Unit Chief            to operating unit security programs, including training and\nInformation Officer             overseeing personnel with significant responsibilities for IT\n                                security and appointing an ITSO in writing.\n\n\n\nOperating Unit Information      Has the lead responsibility for IT security within the\nTechnology Security Officer     organization.\n\n\nInformation System Security     Ensures the appropriate operational security posture is\nOfficer                         maintained for specific information systems.\n\n\n\n                                Assumes responsibility for operating information systems at\nAuthorizing Official            an acceptable level of risk by granting an authorization to\n                                operate. Authorizing officials may be line officials or CIOs.\n\n\n\n\n                                A line office official responsible for deciding access to the\nInformation Owner/Information\n                                information system and ensuring that system users and\nSystem Owner\n                                support personnel receive the requisite security training.\n\n\n\n\n                                             17\xc2\xa0\n\x0cU.S. Department of Commerce                                              Final Report CAR-19569-1\nOffice of Inspector General                                                        September 2009\n\n\n\nCommerce Position                                             Role\n\n\n\n                                Is responsible for conducting a security certification, or\n                                comprehensive assessment of the management, operational,\n                                and technical security controls in an information system, to\nCertification Agent\n                                determine the extent to which controls are implemented\n                                correctly, operating as intended, and producing the desired\n                                outcome with respect to meeting system requirements.\n\n\n                                Are responsible for analyzing and reducing cyber threats and\n                                vulnerabilities, disseminating cyber threat warning\nIT Security Incident Response   information, coordinating incident response activities, and\nPersonnel                       interacting with the Federation of Computer Incident\n                                Response Teams and others to disseminate reasoned and\n                                actionable cyber security information.\n\n\n                                Are officials identified in Continuation of Operations, disaster\n                                recovery, and IT contingency plans that are responsible for\nKey Contingency Roles\n                                ensuring respective plans are maintained, tested, integrated\n                                with other plans, adequate in scope, and relevant.\n\n\n\n\n                                             18\xc2\xa0\n\x0cU.S. Department of Commerce                                        Final Report CAR-19569-1\nOffice of Inspector General                                                  September 2009\n\n\n     Appendix C: IT Security Employees Who Received Role-based\n                   Training in FY 2007 and FY 2008\n\n\n\n                                                                  Percentage\n                                                     Employees    (%) of\n                                       Employees\n                                                     Who          Employees\n            Operating Unit Reviewed    Requiring\n                                                     Received     Who\n            for FISMA                  Role-based\n                                                     Role-based   Received\n                                       Training\n                                                     Training a   Role-based\n                                                                  Training\n\n            Operating Units Examined in FY 2007\n\n               USPTO Patents               147           84             57\n\n               NIST                        131           99             76\n\n               NOAA/NOS                     31            8             26\n\n               NTIS                         27           23            85\n\n               EDA                           4            4            100\n\n            Operating Units Examined in FY 2008\n\n               NOAA/NESDIS                  62           38             61\n\n               BIS                           8            4             50\n\n               BEA                           3            3            100\n\n               USPTO Trademarks              3            3            100\n\n          Source: 2007 and 2008 OIG FISMA Reports\n\n          As reported in OIG\xe2\x80\x99s FY 2007 and FY 2008 FISMA evaluations\n\n\n\n\n                                           19\xc2\xa0\n\x0cU.S. Department of Commerce                             Final Report CAR-19569-1\nOffice of Inspector General                                       September 2009\n\n\n                   Appendix D: Full Text of Agency Response\n\n\n\n\n                                                                              \xc2\xa0\n\n\n                                      20\xc2\xa0\n\x0c                 Comments on draft OIG IT Security Workforce Audit\n\nOperating Unit           Comments\n\n\nThe Department of        DOC/OS agrees with the introduction of the audit report that IT\nCommerce, Office of      security is not just the responsibility of the Chief [nfonnation Officer\nthe Secretary            (CIO), but rather a broader shared responsibility. For this reason, we\n(DOC/OS)                 are pmtnering with the Office of Human Resources Management to\n                         develop an IT Security workforce improvement prograJn (Audit\n                         Report, page 2).\n\nThe National Institute   NIST suggests that: (I) management is responsible for ensuring that\nof Standards and         staff receive appropriate training in their programs and operating\nTechnology (NIST)        units; (2) ClOs are responsible for local policies regarding training,\n                         and for ensuring that policies are complied with and that training is\n                         received; and (3) local management-not the CIO--are responsible\n                         for ensuring that staff in programs and operating units are qualified to\n                         do their (security) work (Audit repOlt, page 2).\n\n                         NIST reported that a few references in the draft (Cybersecurity Act of\n                         2009) should be removed. NIST has concerns that the bill is not yet\n                         out of Congressional committee and that the Senate bill does not have\n                         a House companion bill. Dozens of bills on cybersecurity have been\n                         introduced in previous Congresses, and few become law (Audit\n                         repOlt, page 3).\n\n                         NIST responded that the recommendation that DOC take a leadership\n                         role in the Federal CIO Council to address workforce issues should be\n                         removed. The Department is currently being represented at the\n                         Federal IT Workforce committee (Audit repOlt, page 13).\n\nThe Bureau of            In practice, the requirement discussed in Paragraph III appears to be\nEconomic Analysis        overstated. In BEA, TS/SC[ data is not meant to be used at the\n(BEA)                    operational level. A better solution would be to have a Senior\n                         Intelligence Officer at DOC with authority to sanitize compartmented\n                         information to which the operating units need to respond. [f a TS/SCI\n                         clearance becomes mandatory, it is imperative that the requirement be\n                         worded properly on a job announcement to avoid a "Catch-22"\n                         scenario. SCI clearances do not transfer from one organization to\n                         another (Audit report - page 10).\n\x0c'